2.3.17.8 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'

Information

This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:

%ProgramFiles%

%windir%

%windir%\System32

HKEY_LOCAL_MACHINE\SOFTWARE

The recommended state for this setting is: Enabled.

Rationale:

This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

Default Value:

Enabled. (Application write failures are redirected at run time to defined user locations for both the file system and registry.)

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CCE|CCE-35459-7, CSCv7|5.1

Plugin: Windows

Control ID: 4699c3b2ac9edc3bb26f8a431ed237ebb438d557409ea195b90ecb5ea43d04dc